1 | P a g e

Energy Company Boards, Cybersecurity, and Governance Collected Materials1 http://www.EnergyCollection.us/457.pdf - this collection

http://www.EnergyCollection.us/456.pdf - associated paper on Energy Boards and Governance for Cybersecurity

The original purpose of this collection is to serve as a reference document to various materials that may be of interest to those responsible for or researching the subject of Cybersecurity and Governance within the context of a Board of Directors. However, while continuing to serve that purpose, the extent has been expanded to include a much broader collection of materials including references to standards and technical materials.

The organization of the document is simply alphabetical. Articles and reports are generally referenced with the first 3 words in the title of the article or report for ease of finding the reference here. Terms and names of groups are simply inserted alphabetically in the continuous list. And so on. There has been an effort to group the references by source. The process is a continuous one.

Most of the material has been replicated with a link to the www.EnergyCollection.us site (maintained by the producer of this collection) to ensure availability. There is a renewed effort to quote the original site as well many of these references have been restated through www.tinyurl for readability.

This Collection is meant to be a companion documents to a Paper: Energy Company Boards, Cybersecurity, and Governance which discusses these subjects from a Board responsibility perspective. The paper can be downloaded at http://www.EnergyCollection.us/456.pdf

With a bit less than 100 pages of references, Board members may face the question Where do I start? These references are suggested starting points:

NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 3.0 NIST Special Publication 1108R3 - Framework 3.0 updates the plan for transforming the nation's aging electric power system into an interoperable smart grida network that will integrate information and communication technologies with the power-delivery infrastructure, enabling two-way flows of energy and communications. Beginners Guide http://www.EnergyCollection.us/Companies/NIST/NIST-Framework-Roadmap-1108R3-B.pdf

1 Last updated July 9, 2014

2 | P a g e

From a technical perspective thanks to Joel Langill (the SCADAhacker) for pointing out Annex III, ICS Security Related Standards, Guidelines and Policy Documents which is a European Union document by The European Network and Information Security Agency (ENISA) which is a (definitive?) collection of standards related to Industrial Control Systems that is of great value to practitioners.

If you have a good reference that should be included here email PaulFeldman@Gmail.com 2and it will be included.

2 LinkedIn - www.linkedin.com/in/paulfeldman/

3 | P a g e

Table of Contents with Links

1. 5 Tips to Cybersecure the Power Grid 2. 13 Ways Through a Firewall 3. 2012 Cost of Cyber Crime Study: United States 4. 2012 Utility Cyber Security Survey 5. 2013 Annual Cost of Failed Trust Report: Threats & Attacks 6. 2013 Data Breach Investigations Report [of 2012] 7. 2014 Data Breach Investigations Report 8. 440 Million New Hackable Smart Grid Points 9. Aberdeen Group 10. Advanced Cyber Security for Utilities 11. Advanced Persistent Threat- term

i. AGA Report No. 12 - Cryptographic Protection of SCADA Communications

12. AlienVault Open Threat Exchange i. American Gas Association ii. AGA Report No. 12 - Cryptographic Protection of SCADA

Communications 13. American National Standards Institute - ANSI 14. ANSI Homeland Defense and Security Standardization Collaborative - HDSSC 15. Identity Theft Prevention and Identity Management Standards - ANSI 16. American Public Power Association 17. AMI Penetration Test Plan - DOE 18. Analysis of Selected Electric Sector High Risk Failure Scenarios - DOE 19. Annex III, ICS Security Related Standards, Guidelines and Policy Documents 20. Anonymous - Term 21. ANSI - American National Standards Institute 22. ANSI Homeland Defense and Security Standardization Collaborative - HDSSC 23. ANSSI Agency for National Security Systems and Information 24. Classification Method and Key Measures - Cybersecurity for Industrial

Control Systems 25. Detailed Measures - Cybersecurity for Industrial Control Systems 26. Argonne National Lab - DOE 27. Assault On California Power Station Raises Alarm on Potential for Terrorism 28. Attack Trees for Selected Electric Sector High Risk Failure Scenarios - EPRI 29. Attacks

i. Dragonfly: Western Energy Companies Under Sabotage Threat ii. Utilities Report Cyber Incidents to Energy Department

30. Attacks on Trust: The Cybercriminal's New Weapon 31. Automation Federation 32. Axelos 33. BES-Control Centers - Secure ICCP and IEC 60870-104 Communications 34. Best Practices Against Insider Threats in All Nations 35. Best Practices for Cyber Security in the Electric Power Sector 36. The Best Practices Guide for Application Security HP part 3 37. Bipartisan Policy Center

i. Bipartisan Policy Center - Electric Grid Cybersecurity Initiative ii. Cybersecurity and the North American Electric Grid - New

Policy Approaches to Address an Evolving Threat 38. Blogs

4 | P a g e

i. Digital Bond - www.digitalbond.com/blog ii. Tom Alrichs Blog - http://tomalrichblog.blogspot.com/

39. Board of Directors References i. This section is in process presently the best strategy for

Board members is to review the entire Table of contents ii. Boardroom Cyber Watch Survey - 2014 Report

iii. Cyber-risk, Standards, and Best Practices iv. Energy Company Boards, Cybersecurity and Governance v. NIST Framework and Roadmap for Smart Grid Interoperability

Standards, Release 3.0 40. Boardroom Cyber Watch Survey - 2014 Report 41. Bound to Fail: Why Cyber Security Risk Cannot Simply Be "Managed" Away

i. Brookings Center ii. Bound to Fail: Why Cyber Security Risk Cannot Simply Be

"Managed" Away 42. Brookings Center for 21st Century Security and Intelligence 43. Bulk Power System Cyber Security 44. The Business Case for Application Security HP part 2 45. C-Cubed Program from DHS 46. California

i. Cybersecurity and the Evolving Role of State Regulation: How it Impacts the California Public Utilities Commission

47. Can the Power Grid Be Hacked? Why Experts Disagree 48. Carnegie Mellon University

i. Cylab at Carnegie Mellon ii. Governance of Enterprise Security: Cylab 2012 Report

49. Catalog of Control Systems Security: Recommendations for Standards Developers

50. Categorizing Cyber Systems - An Approach Based on BES Reliability Functions

51. CERT 52. Center for the Study of the Presidency & Congress CSPC

i. Securing The U.S. Electrical Grid 53. Certificate Management for Embedded Industrial Systems 54. Chertoff Group

i. Addressing the Dynamic Threats to the Electric Power Grid Through Resilience

55. CIP5 56. CIP Version 5 Supports Unidirectional Security Gateways 57. CIP Version 5: What Does it Mean for Utilities? 58. CIP5 FERC Order 59. CIPAC - Critical Infrastructure Partnership Advisory Council 60. Cisco 2014 Annual Security Report 61. Classification Method and Key Measures Cybersecurity for Industrial

Control Systems 62. Cloud Security Alliance CSA 63. COBIT - Control Objectives for Information and Related Technology 64. Congress

i. Congressional Testimony 2014-04-10 ii. Congressional Testimony 2012-07-17

iii. Electric Grid Vulnerability Industry responses reveal security gap

65. Congressional Research Service

5 | P a g e

i. Cybersecurity: Authoritative Reports and Resources, by Topic ii. The Smart Grid and Cybersecurity = Regulatory Policy and

Issues iii. The Stuxnet Computer Worm: Harbinger of an Emerging

Warfare Capability iv. Terrorist Use of the Internet: Information Operations in

Cyberspace 66. Connecticut

i. Cybersecurity and Connecticut's Public Utilities 67. Control Center Security at the Bulk Electric System Level 68. Council on Cybersecurity 69. Council on Foreign Relations on Cybersecurity 70. Cost of Failed Trust - 2013 Annual Report 71. CRISP - Cybersecurity Risk Information Sharing Program 72. Critical Infrastructure in Wikipedia 73. Critical Infrastructure Partnership Advisory Council - CIPAC 74. Critical Infrastructure Protection Cybersecurity Guidance Is Available, but

More Can Be Done to Promote Its Use GAO-12-92 75. Critical Infrastructure Protection Multiple Efforts to Secure Control

Systems Are Underway, but Challenges Remain GAO-07-1036 76. Critical Infrastructure Protection in Wikipedia 77. Critical Infrastructure Protection - Cybersecurity Guidance Is Available, but

More Can Be Done to Promote Its Use - GAO Report 78. Critical Infrastructure Cybersecurity (by Lockheed Martin) 79. Critical Infrastructure Sectors_DHS 80. Critical Infrastructure Protection Standards (CIP) 81. Critical Infrastructure: Security Preparedness and Maturity 82. Critical Security Controls for Effective Cyber Defense 83. CSA - Cloud Security Alliance 84. CSPC - Center for the Study of the Presidency & Congress see above 85. Cyber Attack Task Force (NERC) 86. Cyber and Grid Security at FERC 87. Cyber insurance becomes the new cost of doing business 88. Cyber-Physical Systems Security for Smart Grid 89. Cyber-Risk Oversight 90. Cyber-risk, Standards, and Best Practices 91. Cyber Risk and the Board of Directors - Closing the Gap 92. Cyber Security for DER Systems 93. Cyber Security and Privacy Program - 2013 Annual Review 94. Cyber security procurement language for control systems 95. Cyber Solutions Handbook - Making Sense of Standards and Frameworks 96. Cyber Security for Smart Grid, Cryptography, and Privacy 97. Cyber Security Standards in Wikipedia 98. Cyber Security Standards (NERC) in Wikipedia 99. Cyber threat Intelligence Integration Center - CTIIC 100. Cyber threats Proving Their Power over Power Plant Operational

Technology 101. Cyber War - Hardening SCADA 102. Cyberattack Insurance a Challenge for Business 103. Cybersecurity and the Audit Committee - Deloitte 104. Cybersecurity and the Board: Avoiding Personal Liability - Part I of

III: Policies and Procedures

6 | P a g e

105. Cybersecurity and the Board: Avoiding Personal Liability - Part II of III: Policies and Procedures

106. Cybersecurity and the Board: Avoiding Personal Liability - Part III of III: Policies and Procedures

107. Cybersecurity: Authoritative Reports and Resources, by Topic by CRS

108. Cybersecurity Best Practices for Small and Medium Pennsylvania Utilities

109. Cybersecurity: Boardroom Implications - NACD 110. Cybersecurity and Connecticut's Public Utilities 111. Cybersecurity Capability Maturity Model - Electricity Subsector 112. Cybersecurity Challenges in Securing the Electricity Grid GAO-12-

507T - Testimony Before the Committee on Energy and Natural Resources, U.S. Senate

113. Cybersecurity...Continued in the Boardroom 114. Cybersecurity and the Evolving Role of State Regulation: How it

Impacts the California Public Utilities Commission 115. Cybersecurity and the North American Electric Grid - New Policy

Approaches to Address an Evolving Threat 116. Cybersecurity and the PUC 117. Cybersecurity Procurement Language for Energy Delivery Systems 118. Cybersecurity and Remote Access SPARK Article 119. Cybersecurity Risk Information Sharing Program - CRISP 120. Cybersecurity Risks and the Board of Directors Harvard Article 121. Cybersecurity for State Regulators - With Sample Questions for

Regulators to Ask 122. Cybersecurity for Utilities: The Rest of the Story 123. Cybersecurity Webpage on DHS 124. Cybersecurity Website Page on DOE 125. Cyberspace Policy Review 126. Cylab at Carnegie Mellon 127. Dark Reading Cyber News 128. Data Breach Notification Laws by State 129. The Debate Over Cyber Threats 130. Defense Critical Infrastructure Actions needed to improve the

identification and management of electrical power risks and vulnerabilities to DOD Critical Asset

131. Dell 132. How Traditional Firewalls Fail Today's Networks - and Why Next-

Generation Firewalls Will Prevail - Dell 133. Deloitte

i. Cybersecurity and the Audit Committee - Deloitte ii. Cybersecurity...Continued in the Boardroom

iii. Deloitte - Audit Committee Brief - 2014-05-01 iv. SECs Focus on Cybersecurity Key insights for investment

advisors 134. Department of Defense DoD

i. CERT ii. Insider Threat Center of CERT

iii. Software Engineering Institute iv. Insider Fraud in Financial Services Illicit Cyber Activity

Involving Fraud in the U.S. Financial Services Sector Software Engineering Institute

7 | P a g e

v. Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector Software Engineering Institute

135. Department of Energy - DOE i. 2012 DOE Smart Grid Cybersecurity Information Exchange ii. AMI Penetration Test Plan

iii. Analysis of Selected Electric Sector High Risk Failure Scenarios iv. Argonne National Lab - DOE v. Cyber security procurement language for control systems

vi. Energy Sector Cybersecurity Framework Implementation Guidance

vii. ICS-CERT Year in Review - Industrial Control Systems Cyber Emergency Response Team 2013 - DOE

viii. Electricity Subsector - Risk Management Process ix. Gridwise Architecture Council x. High Impact, Low-Frequency Event Risk to the North American

Bulk Power System NERC and DOE xi. Idaho National Lab

xii. Implementing Effective Enterprise Security Governance - DOE xiii. Industrial Control Systems Joint Working Group (ICSJWG) xiv. Infrastructure Security and Energy Restoration xv. National Electric Sector Cybersecurity Organization - NESCO xvi. Electric Sector Failure Scenarios and Impact Analyses -

NESCOR xvii. ERPI NESCOR Webpage xviii. NESCOR Guide to Penetration Testing for Electric Utilities -

Version 3 xix. Office of Electric Delivery & Energy Reliability NESCO xx. Pacific Northwest National Laboratory PNNL xxi. Sandia National Lab

136. Department of Energy wants electric utilities to create "cybersecurity governance board"

137. Department of Homeland Security DHS i. C-Cubed Program ii. Catalog of Control Systems Security: Recommendations for

Standards Developers iii. Critical Infrastructure Partnership Advisory Council - CIPAC iv. Critical_Infrastructure_Sectors_DHS v. Electricity Subsector Coordinating Council ESCC

vi. Electricity Subsector - Cybersecurity Capability Maturity Model vii. Enhanced Cybersecurity Services

viii. Fusion Centers ix. Implementation Status of the Enhanced Cybersecurity Services

Program x. Industrial Control Systems Joint Working Group -ICSJWG xi. Industrial Control Systems Cyber Emergency Response Team

ICS-CERT xii. National Cybersecurity and Communications Integration Center

DHS xiii. National Infrastructure Advisory Council DHS xiv. NESEC V1.0 System Requirements Document Revision 3c DHS xv. Partnership for Critical Infrastructure Security xvi. Protective Security Advisor DHS free services

8 | P a g e

xvii. US-CERT 138. Detailed Measures - Cybersecurity for Industrial Control Systems 139. DHS Cybersecurity Capability Maturity Model - Electricity Subsector 140. Dragonfly: Western Energy Companies Under Sabotage Threat 141. Encryption: The answer to all security 142. Easing the Pain of a NERC CIP Audit 143. Eastern Interconnection Data Sharing Network 144. Edison Electric Institute - EEI

i. EEI website cybersecurity page ii. Technical Conference 2014-04-29 - EEI Comments

145. EEI - Edison Electric Institute 146. Effects-Based Targeting for Critical Infrastructure 147. Electric Grid Vulnerability Industry responses reveal security gap 148. Electric Power Research Institute EPRI

i. Attack Trees for Selected Electric Sector High Risk Failure Scenarios

ii. Cyber Security for DER Systems iii. Cyber Security and Privacy Program - 2013 Annual Review iv. ERPI NESCOR Webpage v. North America Electric System Infrastructure SECurity (NESEC)

System EPRI 149. Electricity for Free - The dirty underbelly of SCADA and Smart Meters 150. Electricity Grid Modernization 151. Electricity Subsector Coordinating Council - ESCC

i. ESCC Overview presentation 152. Electric Grid Vulnerability - Industry Responses Reveal Security Gaps 153. Electric Power Supply Association EPSA - on Cybersecurity 154. Electric Utility Cyber Security Standards: Practical Implementation

Guidance 155. Electricity Sector Cybersecurity Capability Maturity Model 156. Electricity Sector Information Sharing and Analysis Center ES-ISAC 157. Electricity Subsector Coordinating Council ESCC

i. Roadmap to Achieve Energy Delivery Systems Cybersecurity 158. Electricity Subsector - Cybersecurity Capability Maturity Model 159. Electricity Subsector - Risk Management Process 160. Energetic Bear 161. Energy Company Boards, Cybersecurity and Governance 162. Energy Firm's Security So POOR, Insurers REFUSE to take their cash 163. Energy Sector Control Systems Working Group ESCSWG

i. Cybersecurity Procurement Language for Energy Delivery Systems

164. Energy Sector Cybersecurity Framework Implementation Guidance 165. EnergySec

i. Network Perimeter Defense Analyzing the Data ii. Network Perimeter Defense Common Mistakes

iii. Report and Recommendations NECPUC Cybersecurity Project 166. Enhanced Cybersecurity Services 167. ENISA European Union Agency for Network and Information

Security 168. EPRI - Electric Power Research Institute 169. ES ISAC Electricity Sector Information Sharing and Analysis Center 170. ESCC - Electricity Subsector Coordinating Council 171. Establishing Trust in Distributed Critical Infrastructure Micro Devices

9 | P a g e

172. European Network and Information Security Agency 173. European Union

i. Annex III, ICS Security Related Standards, Guidelines and Policy Documents

ii. ENISA European Union Agency for Network and Information Security

iii. ENISA Threat Landscape 2014 174. Ex-FBI Official: Intel agencies don't share cyber threats that

endanger companies 175. Executive Branch (President)

i. Cyberspace Policy Review ii. Cyber threat Intelligence Integration Center

iii. Executive Order 13636 iv. Executive Order Promoting Private Sector Cybersecurity

Information Sharing v. Presidential Policy Directive 21

176. Executive Order 13636 177. Expendable ICS Networks? 178. External Monitoring Security Threats 179. EY (Ernst & Young)

i. How the Grid Will Be Hacked - by E&Y 180. FBI

i. Cyber Crime ii. InfraGard

iii. iGuardian 181. Federal Energy Regulatory Commission - FERC

i. CIP5 FERC Order ii. Cyber and Grid Security at FERC - Webpage

iii. Office of Energy Infrastructure Security OEIS iv. Opening Remarks by Kevin Perry v. Transcript from the Technical Conference ordered in CIP5

vi. Technical Conference 2014-04-29 - EEI Comments vii. Testimony of Joseph McClelland

viii. Wellinghoff to Markey letter of 2009-04-28 182. The Federal Government's Track Record on Cybersecurity and Critical

Infrastructure 183. Federal Information Security Management Act of 2002 - FISMA 184. Federal Laws Relating to Cybersecurity: Overview and Discussion of

Proposed Revisions 185. Feel the Electricity: how situation management empowers utilities for

CIP Compliance 186. FERC 187. The Financial Impact of Cyber Risk 188. FINRA

i. Report on Cybersecurity Practices 189. Firewalls 190. The Firewall Loophole - easy, Insecure NERC CIP Compliance 191. FISMA - Federal Information Security Management Act of 2002 192. Foreign Cyber-Spies Inject Spyware into U.S. Grid with Potential for

Serious Damage 193. The Forrester Wave: Information Security and Risk Consulting

Services, Q3, 2010 194. The Forrester Wave: Managed Security Services, Q3 2010

10 | P a g e

195. A Framework for Developing and Evaluating Utility Substation Cyber Security

196. Framework for Improving Critical Infrastructure Cybersecurity - NIST 197. Framework for SCADA Cybersecurity 198. Frost & Sullivan 199. Fusion Centers 200. Future of the Electric Grid 201. GAO Report - Critical Infrastructure Protection - Cybersecurity

Guidance Is Available, but More Can Be Done to Promote Its Use 202. Gartner Identifies the Top 10 Technologies for Information Security in

2014 203. Generic Risk Template 204. Glossary of Key Information Security Terms - NIST 7298 205. Google Reports Unauthorized Digital Certificates 206. Governance of Enterprise Security: Cylab 2012 Report 207. Government Accounting Office

i. Cybersecurity Challenges in Securing the Electricity Grid GAO-12-507T - Testimony Before the Committee on Energy and Natural Resources, U.S. Senate

ii. Critical Infrastructure Protection Cybersecurity Guidance Is Available, but More Can Be Done to Promote Its Use GAO-12-92

iii. Critical Infrastructure Protection Multiple Efforts to Secure Control Systems Are Underway, but Challenges Remain GAO-07-1036

iv. Critical Infrastructure Protection Update to National Infrastructure Projection Plan Includes Increased Emphasis on Risk Management and Resilience GAO-10-296

v. Defense Critical Infrastructure Actions needed to improve the identification and management of electrical power risks and vulnerabilities to DOD Critical Asset

vi. Information Security TVA Needs to Address Weaknesses in Control Systems and Networks GAO-08-526

208. Government Asks Utilities, Others to Check Networks after 'Energetic Bear' Cyberattacks

209. Gramm-Leach-Bliley Act, Interagency Guidelines 210. Guide to Industrial Control Systems (ICS) Security 211. Gridwise Architecture Council 212. Guidance for Secure Interactive Remote Access from NERC 2011-

07-01 213. Hacking the Smart Grid 214. Hewett Packard HP

i. The Best Practices Guide for Application Security HP part 3 ii. The Business Case for Application Security HP part 2

iii. The Mandate for Application Security HP part 1 215. High Impact, Low-Frequency Event Risk to the North American Bulk

Power System NERC and DOE 216. Holistic Enterprise Security Solution 217. Homeland Security - Legal and Policy Issues (a book) 218. House of Representatives

i. Testimony Cybersecurity: Assessing the immediate threat to the United States 2011-05-25

219. How to Hack the Power Grid for Fun and Profit

11 | P a g e

220. How the Grid Will Be Hacked - by E&Y 221. How to Increase Cyber-Security in the Power Sector: A Project Report

from the Australian Power Sector 222. How Traditional Firewalls Fail Today's Networks - and Why Next-

Generation Firewalls Will Prevail - Dell 223. HSToday (Homeland Security news and information) 224. I3P The Institute for Information Infrastructure Protection

i. National Cyber Security - Research and Development Challenges

225. IBM i. Best Practices for Cyber Security in the Electric Power Sector ii. Holistic Enterprise Security Solution

226. ICS-CERT - Industrial Control Systems Cyber Emergency Response Team

227. ICS-CERT Year in Review - Industrial Control Systems Cyber Emergency Response Team 2013 - DOE

228. ICSJWG - Industrial Control Systems Joint Working Group 229. Idaho National Lab 230. Identity Theft Prevention and Identity Management Standards - ANSI 231. IEC International Electrotechnical Commission (Standards)

i. IEC 61850 Standards ii. IEC 61968 distribution standards

iii. IEC 61970 standards for energy management systems iv. IEC 62351

232. IEEE - Institute of Electrical and Electronic Engineers i. IEEE 1686 Standard for Substation Intelligent Electronic

Devices (IED) Cyber Security Capabilities ii. IEEE P37.240 Standard for Cyber Security Requirements for

Substation Automation, Protection and Control Systems iii. IEEE 1711 Cryptographic Protocol for Cyber Security of

Substation Serial Links iv. IEEE 1402 Standard for Physical Security of Electric Power

Substations 233. PSRC H22 Cyber Security for protection related data files 234. If cyberwar erupts, Americas electric grid is a prime target 235. iGuardian 236. Implementing Effective Enterprise Security Governance - DOE 237. Implementation Study Final Report implementing CIP5 238. Industrial Control Technology (ICS/OT Systems)

i. Cyber threats Proving Their Power over Power Plant Operational Technology

ii. Securing Industrial Control Systems 239. InduSoft

i. Framework for SCADA Cybersecurity ii. InduSoft Application Design and SCADA Deployment

Recommendations for Industrial Control System Security 240. Industrial Control Systems Cyber Emergency Response Team ICS-

CERT DHS 241. Industrial Control Systems Cyber Threat Research By Preventia 242. Industrial Control Systems Joint Working Group -ICSJWG 243. InfraGard 244. Infrastructure Security - Wikipedia 245. Infrastructure Security and Energy Restoration

12 | P a g e

246. Information Security TVA Needs to Address Weaknesses in Control Systems and Networks GAO-08-526

247. Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations NIST 800-137

248. Information Sharing and Analysis Organizations ISAOs see Executive Order Promoting Private Sector Cybersecurity Information Sharing

249. Information Systems Security Association ISSA 250. Infosecurity Magazine 251. Insider Fraud in Financial Services Illicit Cyber Activity Involving

Fraud in the U.S. Financial Services Sector Software Engineering Institute 252. Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S.

Financial Services Sector Software Engineering Institute 253. Insider Threat Center of CERT 254. Institute of Electrical and Electronic Engineers IEEE

i. Smart Grid Community IEEE 255. The Institute for Information Infrastructure Protection I3P 256. Insurance (Cybersecurity) 257. Cyber insurance becomes the new cost of doing business 258. International Electrotechnical Commission (Standards) see IEC

above 259. International Organization for Standardization ISO

i. ISO 27001 ii. ISO 27002

260. International Society of Automation ISA i. ISA99, Industrial Automation and Control Systems Security ii. Security for Industrial Automation and Control Systems - ISA-

62443 iii. Top Ten Differences Between ICS and IT Cybersecurity

261. Interoperability and Security for Converged Smart Grid Networks 262. Intrusion Detection System for Advanced Metering Infrastructure 263. ISA - International Society of Automation see International Society

of Automation above 264. ISA-6243 - Security for Industrial Automation and Control Systems 265. ISACA (previously the Information Systems Audit and Control

Association) i. COBIT - Control Objectives for Information and Related

TechnologyISO 27002 266. ISAOs - Information Sharing and Analysis Organizations

see Executive Order Promoting Private Sector Cybersecurity Information Sharing

267. ISSA - Information Systems Security Association 268. ISO 27001 269. ISO 27002 270. IT/OT Integration Done Right and Done Wrong 271. IT Governance Institute ITGI

i. Data Breach Notification Laws by State 272. IT Governance Ltd

i. Governance Link ii. Link to Cyber Security Resources

273. Journal of Energy Security 274. Key Steps to Automate IT Security Compliance 275. Law in the Boardroom in 2014

13 | P a g e

276. Least Privilege Principle 277. Lessons from 5 Advanced Attacks of 2013 278. Lessons Learned From Snowden 279. Living in a World Without Trust: When IT's Supply Chain Integrity and

Online Infrastructure Get Pwned 280. Lockheed Martin

i. Critical Infrastructure Cybersecurity (by Lockheed Martin) ii. Securing Industrial Control Systems The Basics

281. LulzSec 282. Managers Information Security Survival Kit and Checklist 283. Managing Information Security Risk - NIST Special Publication 800-39 284. The Mandate for Application Security HP part 1 285. The Mask, Attacks on Trust, and Game Over - Kaspersky Labs 286. Metasploit 287. Microsoft

i. Developing a City Strategy for Cybersecurity 288. National Academies

i. Terrorism and the Electric Power Delivery System 289. National Association of Corporate Directors NACD

i. Audit Committee Chair Advisory Council ii. Cyber-Risk Oversight

iii. Cybersecurity: Boardroom Implications - NACD iv. NACD Summit v. Playing For Keeps

290. National Association of Regulatory Utility Commissioners NARUC i. Cybersecurity for State Regulators - With Sample Questions for

Regulators to Ask ii. Cybersecurity for State Regulators 2.0

291. National Cyber Security - Research and Development Challenges 292. National Cybersecurity Center of Excellence - NCCoE 293. National Cybersecurity and Communications Integration Center DHS 294. National Electric Sector Cybersecurity Organization - NESCO 295. National Electric Sector Cybersecurity Organization Resource -

NESCOR i. Electric Sector Failure Scenarios and Impact Analyses -

NESCOR ii. ERPI NESCOR Webpage

iii. Wide Area Monitoring, Protection, and Control Systems (WAMPAC) - Standards for Cyber Security Requirements

296. National Infrastructure Advisory Council DHS 297. National Governors Association NGA

i. State Roles in Enhancing the Cybersecurity of Energy Systems and Infrastructure

298. Network Perimeter Defense Analyzing the Data 299. Network Perimeter Defense Common Mistakes 300. National Institute of Standards - NIST 301. National Research Regulatory Institute NRRI

i. The Role of State Public Utility Commissions in Protecting National Utility Infrastructure

ii. A Summary of State Regulators Responsibilities Regarding Cybersecurity Issues

302. NECPUC Cybersecurity Project Report and Recommendations 303. NERC

14 | P a g e

i. Categorizing Cyber Systems - An Approach Based on BES Reliability Functions

ii. CIP5 iii. NERC CIP-005 Compliance: At-A-Glance iv. NERC-CIP V5 Encourages Unidirectional Gateways v. NERC CIP V5 Standards Position - Unidirectional Security

Gateways as Secure Alternatives to Firewalls and Network Intrusion Detection Systems

vi. Critical Infrastructure Protection Standards (CIP) vii. Cyber Attack Task Force (NERC)

viii. ES ISAC Electricity Sector Information Sharing and Analysis Center

ix. Guidance for Secure Interactive Remote Access from NERC x. High Impact, Low-Frequency Event Risk to the North American

Bulk Power System NERC and DOE xi. Implementation Study Final Report implementing CIP5

xii. NERC Reliability Assurance Initiative - RAI xiii. NERC Security Guidelines Working Group -SGWG xiv. Reliability Coordinator Information Sharing Portal (via NERC) xv. NERC CIP & Smart Grid

304. NESCO - National Electric Sector Cybersecurity Organization 305. NESCOR Guide to Penetration Testing for Electric Utilities - Version 3 306. NESCOR - National Electric Sector Cybersecurity Organization

Resource 307. NESEC V1.0 System Requirements Document Revision 3c DHS 308. News

i. HSToday (Homeland Security news and information) ii. Infosecurity Magazine

iii. SecurityWeek iv. TechTarget - SearchSecurity

309. At The Nexus of Cybersecurity and Public Policy Some Basic Concepts and Issues

310. NIST - National Institute of Standards i. Framework for Improving Critical Infrastructure Cybersecurity

- NIST ii. Glossary of Key Information Security Terms - NIST 7298

iii. Guide to Industrial Control Systems (ICS) Security NIST 800-82

iv. Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations NIST 800-137

v. Managing Information Security Risk - NIST Special Publication 800-39

vi. National Cybersecurity Center of Excellence - NCCoE vii. NIST Framework and Roadmap for Smart Grid Interoperability

Standards, Release 3.0 NIST Special Publication 1108R3 viii. NIST Interagency or Internal Reports (NISTIRS) ix. NIST SGIP Cyber Security Working Group x. NIST Smart Grid Collaboration Wiki for Smart Grid

Interoperability Standards xi. NIST Special Publication 800-39 - Managing Information

Security Risk xii. NISTR 7628 NIST Interagency Report, Guidelines for Smart

Grid Cyber Security

15 | P a g e

xiii. NISTIR 7761 R1 Smart Grid Interoperability Panel Priority Action Plan 2: Guidelines for Assessing Wireless Standards for Smart Grid Applications

xiv. Special Publication 800-53 Security and Privacy Controls for Federal

xv. Top 311. North America Electric System Infrastructure SECurity (NESEC)

System EPRI 312. NRECA Cyber task Force To Serve Co-ops (ECT.coop) 313. NRRI - see "National Research Regulatory Institute" 314. OCIE Cybersecurity Initiative 315. OEIS - Office of Energy Infrastructure Security at FERC 316. Office of Energy Infrastructure Security OEIS at FERC 317. Office of Electric Delivery & Energy Reliability NESCO 318. Pacific Northwest National Laboratory PNNL

i. CRISP - Cybersecurity Risk Information Sharing Program 319. Partnership for Critical Infrastructure Security 320. Penetration Testing and Red Teams 321. Ponemon Institute

i. 2012 Cost of Cyber Crime Study: United States ii. Cost of Failed Trust - 2013 Annual Report

iii. Critical Infrastructure: Security Preparedness and Maturity iv. Ponemon 2014 SSH Security Vulnerability Report - Information

Technology's Dirty Secret and Open Backdoors 322. Presidential Policy Directive 21 323. Principle of Least Privilege 324. PRISEM for Seattle 325. Procurement

i. Cybersecurity Procurement Language for Energy Delivery Systems

ii. Cyber security procurement language for control systems 326. Project Basecamp 327. Protecting Against Cybersecurity Threats Starts Now 328. Protective Security Advisor DHS free services 329. Protiviti

i. Board Perspectives: Risk Oversight ii. From Cybersecurity to Collaboration: Assessing the Top

Priorities for Internal Audit Functions 330. Public Utility Commissions 331. PWC

i. PWC- Center for Board Governance ii. PWC on Cybersecurity

332. Questions for asking 333. The Financial Impact of Cyber Risk 334. Red Team & Penetration Testing 335. Regulators

i. Cybersecurity and the PUC ii. How to Increase Cyber-Security in the Power Sector: A Project

Report from the Australian Power Sector iii. NECPUC Cybersecurity Project Report and Recommendations

336. Reliability Coordinator Information Sharing Portal (via NERC) 337. Report and Recommendations NECPUC Cybersecurity Project 338. Report: Cyber Threats to Energy Sector Happening at Alarming Rate

16 | P a g e

339. Risk Management 340. Electricity Subsector - Risk Management Process 341. Generic Risk Template 342. Roadmap to Achieve Energy Delivery Systems Cybersecurity 343. Is there a Role for Government in Cyber Security - NPR episode 344. The Role of State Public Utility Commissions in Protecting National

Utility Infrastructure 345. Sandia National Lab 346. SANS Institute

i. Critical Security Controls for Effective Cyber Defense ii. Implementing an Effective IT Security Program

iii. SANS Internet Storm Center iv. SANS Securing the Human

347. SCADA i. AGA Report No. 12 - Cryptographic Protection of SCADA

Communications ii. Framework for SCADA Cybersecurity

iii. How to Stop Malware Attacks on SCADA Systems iv. InduSoft Application Design and SCADA Deployment

Recommendations for Industrial Control System Security v. The SCADA Security Survival Guide

vi. SCADA System Cyber Security - A Comparison of Standards vii. SCADAhacker

348. SCADAhacker 349. Schneider Electric

i. A Framework for Developing and Evaluating Utility Substation Cyber Security

ii. Framework for SCADA Cybersecurity iii. InduSoft Application Design and SCADA Deployment

Recommendations for Industrial Control System Security 350. SearchSecurity - TechTarget 351. SECs Focus on Cybersecurity Key insights for investment advisors 352. Securing the Human by SANS 353. Securing The U.S. Electrical Grid 354. Security and Exchange Commission

i. OCIE Cybersecurity Initiative ii. SECs Focus on Cybersecurity Key insights for investment

advisors 355. Security for Industrial Automation and Control Systems - ISA-62443 356. Security and States 357. Security Wizardry Information Portal 358. SecurityWeek 359. Senators ask FERC to helm "expeditious comprehensive" probe of grid

security 360. Smart Energy Profile (SEP) 361. The Smart Grid and Cybersecurity = Regulatory Policy and Issues 362. Smart Grid Security Blog 363. Social Engineering 364. Software Engineering Institute 365. Special Publication 800-53 (from NIST) 366. State Regulators 367. State Roles in Enhancing the Cybersecurity of Energy Systems and

Infrastructure

17 | P a g e

368. Stronger than Firewalls 369. Stuxnet

i. The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability

ii. Stuxnet Five Years Later - Did We take the Right Lessons? 370. Substations

i. A Framework for Developing and Evaluating Utility Substation Cyber Security

ii. IEEE 1402 Standard for Physical Security of Electric Power Substations

iii. Unidirectional Security Gateways - Secure Transmission Substations Application

iv. U.S. Risks National Blackout From Small-Scale Attack 371. A Summary of State Regulators Responsibilities Regarding

Cybersecurity Issues 372. Surviving on a Diet of Poisoned Fruit: Reducing the National Security

Risks Of Americas Cyber Dependencies 373. Targeted Attacks Against the Energy Sector 374. TechTarget - SearchSecurity 375. Telephone Industries Association - Cybersecurity 376. Terrorism and the Electric Power Delivery System 377. Terrorist Use of the Internet: Information Operations in Cyberspace 378. Testimony Before the Committee on Energy and Natural Resources,

US Senate 379. It's Time for Corporate Boards to tackle Cybersecurity. Here's Why 380. Think Data Breaches Can't Happen To You? 381. Threat-Intel Sharing Services Emerge, But Challenges Remain 382. Time report on Smart Grid vulnerability 383. Top Ten Differences Between ICS and IT Cybersecurity 384. Training

i. Protective Security Advisor DHS free services 385. Transcript from the Technical Conference ordered in CIP5 386. Transformers Expose Limits in Securing Power Grid 387. Two Factor Authentication 388. UglyGorilla Hack of US Utility Exposes Cyberwar threat 389. Understanding the physical and economic consequences of attacks on

control systems 390. Unidirectional Gateways

i. Classification Method and Key Measures Cybersecurity for Industrial Control Systems

391. Unidirectional Security Gateways - Secure Transmission Substations Application

392. Unidirectional Security Gateways vs. Firewalls: Comparing Costs 393. Unveiling "The Mask": Sophisticated malware ran rampant for 7 years 394. US-CERT 395. Is U.S. Cybersecurity plan a carrot, stick or legal nightmare? 396. The U.S. Electric Grid is Safer than you probably think 397. U.S. Risks National Blackout From Small-Scale Attack 398. U.S. Steps Up Alarm Over Cyberattacks 399. U.S. Utilitys Control System was hacked, says Homeland Security 400. Utilities Need Test Bed to Evaluate Legacy Industrial Control System

Cybersecurity Technologies 401. Utilities Report Cyber Incidents to Energy Department

18 | P a g e

402. Utilities Telecom Council - UTC 403. Venafi Predicts: 100 Percent of Mobile Malware Will Misuse

Compromised Digital Certificates by the End of 2014 404. Verizon

i. 2013 Data Breach Investigations Report [of 2012] ii. 2014 Data Breach Investigations Report

405. Virus Infection At An Electric Utility 406. VLANs 407. Why VLAN Security isnt SCADA Security at all 408. Wardriving the Smart Grid: practical approaches to attacking utility

packet radios 409. Waterfall Security

i. 13 Ways Through a Firewall ii. BES-Control Centers - Secure ICCP and IEC 60870-104

Communications iii. Can the Power Grid Be Hacked? Why Experts Disagree iv. Introduction to Waterfall Unidirectional Security Gateways:

True Unidirectionality, True Security v. IT/OT Integration Done Right and Done Wrong

vi. The Firewall Loophole - easy, Insecure NERC CIP Compliance vii. NERC CIP V5 Standards Position - Unidirectional Security

Gateways as Secure Alternatives to Firewalls and Network Intrusion Detection Systems

viii. Stronger than Firewalls ix. Unidirectional Security Gateways - Secure Transmission

Substations Application 410. Watering Hole Attacks 411. What Are the Top Three Things Every Utility CIO Should Worry About

When it Comes to Cybersecurity 412. What Not To Do In a Cyberattack 413. Why VLAN Security isnt SCADA Security at all 414. Wide Area Monitoring, Protection, and Control Systems (WAMPAC) -

Standards for Cyber Security Requirements 415. X.509 Certificate Management: Avoiding Downtime and Brand

Damage

END OF TABLE OF CONTENTS

19 | P a g e

2012 Utility Cyber Security Survey - http://www.EnergyCollection.us/Energy-Security/2012-Utility-Cyber.pdf Top

2013 Annual Cost of Failed Trust Report: Threats & Attacks - reveals that failed key and certificate management threatens every global enterprise with potential exposure of almost US $400M. http://www.EnergyCollection.us/Energy-Security/2013-Annual-Cost.pdf Top

440 Million New Hackable Smart Grid Points - By the end of 2015, the potential security risks to the smart grid will reach 440 million new hackable points. Billions are being spent on smart grid cybersecurity, but it seems like every time you turn around, there is yet another vulnerability exposing how to manipulate smart meters or power-grid data. http://eee.EnergyCollection.us/Energy-Security/440-Million-New.pdf Original link - http://blogs.computerworld.com/17120/400_million_new_hackable_smart_grid_points Top

Aberdeen Group - The IT security practice examines technologies used to ensure the confidentiality, integrity, availability, and authenticity of enterprise data and data transactions, from application security, endpoint encryption, master material data management, Cloud and Web security, data loss prevention, data protection, email security, Web security and others. http://www.aberdeen.com/_aberdeen/it-security/ITSA/practice.aspx Top

Advanced Cyber Security for Utilities - a 2009-05-20 presentation by The Structure Group (25 Pages). http://www.EnergyCollection.com/Energy-Security/Advanced-Cyber-Securities-For-Utilities.pdf Top

Advanced Persistent Threat - http://en.wikipedia.org/wiki/Advanced_persistent_threat Top

AlienVault Open Threat Exchange - http://www.alienvault.com/open-threat-exchange Top

American Public Power Association - is a collection of more than 2,000 community-owned electric utilities, serving more than 47 million people or about 14 percent of the nation's electricity consumers. Public power utilities are operated by local governments to provide communities with reliable, responsive, not-for-profit electric service. Public power utilities are directly accountable to the people they serve through local elected or appointed officials. http://www.publicpower.org

Top

American Gas Association

AGA Report No. 12 - Cryptographic Protection of SCADA Communications - http://www.EnergyCollection.us/Energy-Security/AGA-Report-12.pdf Top

Top

American National Standards Institute - ANSI

20 | P a g e

Company website - http://www.ansi.org/ ANSI Homeland Defense and Security Standardization Collaborative - HDSSC

- http://www.ansi.org/standards_activities/standards_boards_panels/hssp/overview.aspx?menuid=3 Top

Identity Theft Prevention and Identity Management Standards - http://www.ansi.org/standards_activities/standards_boards_panels/idsp/overview.aspx?menuid=3 Top

Wikipedia - http://en.wikipedia.org/wiki/American_National_Standards_Institute Top

American Public Power Association APPA - Public power is a collection of more than 2,000 community-owned electric utilities, serving over 43 million people or about 14 percent of the nation's electricity consumers. Website: http://www.appanet.org APPA webpage for cybersecurity - http://www.publicpower.org/Topics/Landing.cfm?ItemNumber=38507

Bulk Power System Cyber Security - APPA publication - 2011-02-01 - contains a good history of cybersecurity and the grid. http://www.EnergyCollection.us/Energy-Security/Bulk-Power-System-Cyber.pdf Top

Top

ANSSI Agency for National Security Systems and Information

Classification Method and Key Measures - Cybersecurity for Industrial Control Systems - This document is based on the findings of the working group on Industrial Control System cybersecurity, directed by the French Network and Information Security Agency, the ANSSI12. Composed of actors in the field of automated industrial process control systems and specialists in IT3 Security, the group has undertaken to draft a set of measures to improve the cybersecurity of ICS4. These documents will be used to define the methods for applying the measures set out within the framework of French law No. 2013-1168 of 18 December 2013, known as the Military programming law (LPM5). The objective is to subject all new critical ICSs to an approval process, thus ensuring that their cybersecurity level is acceptable given the current threat status and its potential developments. The document is intended for all actors (e.g. responsible entities, project managers, buyers, manufacturers, integrators, prime contractors) concerned with the design, implementation, operation and maintenance of ICSs. The working group did not focus on any specific business sector. Therefore, the contents of this document are intended to apply to all sectors. Some sectors have special characteristics that have not been detailed or considered in this document. In some cases, it may be necessary to establish a sector-specific version of this document, in collaboration with the coordinating ministries, in order to clarify how to apply techniques and to take specific constraints into account. All of the measures presented have been designed for new ICSs. It is quite possible that these measures cannot be directly applied to existing ICSs; therefore, an exhaustive impact evaluation should be carried out before any implementation. Situations may arise (e.g. compatibility issues with existing ICSs, business-specific constraints) in which certain measures cannot be applied without adapting them. These special cases should be the object of specific studies and the resulting measures should be submitted to the cyber-defense authority for approval. As this work focused exclusively on cybersecurity for ICSs, the definition of organizations' overall IT security strategy is not concerned by this framework. It is

21 | P a g e

therefore up to each responsible entity to integrate their ICSs and their specific constraints into their IT Security Policy. http://www.EnergyCollection.us/Companies/ANSSI/Classification-Method-Key.pdf Top

Detailed Measures - Cybersecurity for Industrial Control Systems - This document is based on the findings of the working group on Industrial Control System cybersecurity, directed by the French Network and Information Security Agency, ANSSI12. Composed of actors in the field of automated industrial process control systems and specialists in IT Security, the group has undertaken to draft a set of measures to improve the cybersecurity of ICS. The document is intended for all actors (e.g. responsible entities, project managers, buyers, manufacturers, integrators, prime contractors) concerned with the design, implementation, operation and maintenance of ICSs. The working group did not focus on a specific business sector; the contents of this document are intended to apply to all sectors. Some sectors have specific characteristics that may not have been detailed or considered in this document. Therefore, in some cases, a sector-specific version of this document may be required to clarify the application and to take specific constraints into account. All of the measures presented have been designed for new ICSs. It is quite possible that these measures cannot be directly applied to existing ICSs; therefore, an exhaustive impact evaluation should be carried out before any implementation. It is also possible that situations may arise (e.g. compatibility issues with existing ICSs, business-specific constraints) in which measures cannot be applied without adapting them. These special cases should be the object of specific studies and the resulting measures should be submitted to the cyberdefence authority for approval. http://www.EnergyCollection.us/Companies/ANSSI/Detailed-Measures.pdf Top

Anonymous - Anonymous (used as a mass noun) is a loosely associated international network of activist and hacktivist entities. A website nominally associated with the group describes it as "an internet gathering" with "a very loose and decentralized command structure that operates on ideas rather than directives".[2] The group became known for a series of well-publicized publicity stunts and distributed denial-of-service (DDoS) attacks on government, religious, and corporate websites. Wikipedia - http://en.wikipedia.org/wiki/Anonymous_%28group%29 Top

Assault On California Power Station Raises Alarm on Potential for Terrorism - April Sniper Attack Knocked Out Substation, Raises Concern for Country's Power Grid - 2014-04-04 - http://www.EnergyCollection.us/Energy-Security/Assault-California-Power.pdf Top

Attacks on Trust: The Cybercriminal's New Weapon - 3013-07-01 by Forrester for Venafi - The trust established by cryptographic keys and certificates is critical to enabling just about every electronic interaction and process that businesses and governments rely on today. Much like a nation's currency, people who use these keys and certificates need to trust their value if they're to be accepted and facilitate transactions. Yet, this trust can easily be exploited. Cybercrirninals have identified keys and certificates as a weak spot for many organizations today; cybercriminals can become trusted users on your networks, in your clouds, or on mobile devices, evading a multitude of technical controls and gaining undetected access. In 2013, we're seeing cybercriminals accelerate the exploitation of keys and certificates to steal data or enable other attacks against victims. We've seen several high-profile cases that point to magnitude and seriousness of this threat. Recently, rogue Microsoft digital certificates allowed Flame malware to make its way past Windows controls.' This year, attackers gained access to security firm Bit9's trusted certificate and used it to

22 | P a g e

sign malware.' Google also discovered an unauthorized certificate impersonating Google.com for a man-in-the-middle attack.' Cybercriminals are also known to steal SSH keys or manipulate which keys are trusted to gain access to source code and other valuable intellectual property. http://www.EnergyCollection.us/Energy-Security/Attacks-On-Trust.pdf Top

Automation Federation - The Automation Federation is an association of member organizations providing awareness, programs, and services that continually advance the automation profession for the betterment of humanity. Cybersecurity link - http://www.automationfederation.org/Content/NavigationMenu/General_Information/Alliances_and_Associations/The_Automation_Federation/Focus_Areas/Cybersecurity/Cybersecurity.htm Top

Axelos - AXELOS, the owner of ITIL and PRINCE2, is developing a new cybersecurity portfolio designed to help commercial organizations and governments around the world combat the risk of cyber attacks. http://www.axelos.com/?DI=639511 Top

Best Practices Against Insider Threats in All Nations - Based on its analysis of more than 700 case studies, the CERT Insider Threat Center recommends 19 best practices for preventing, detecting, and responding to harm from insider threats. This technical note summarizes each practice, explains its importance, and provides an international policy perspective on the practice. Every nation can use this paper as a succinct educational guide to stopping insider threats and an exploration of international policy issues related to insider threats. 2013-08-01 http://www.EnergyCollection.us/Energy-Security/Best-Practices-Against.pdf Top

Bipartisan Policy Center - is a non-profit organization that drives principled solutions through rigorous analysis, reasoned negotiation and respectful dialogue. With projects in multiple issue areas, BPC combines politically-balanced policymaking with strong, proactive advocacy and outreach. http://bipartisanpolicy.org

1. Bipartisan Policy Center - Electric Grid Cybersecurity Initiative - The Electric Grid Cybersecurity Initiative, a joint effort of BPCs Energy and Homeland Security Projects, will develop recommendations for how multiple government agencies and private companies can protect the North American electric grid from cyber-attacks. The initiative will consider how to allocate responsibility for cyber-attack prevention and response, facilitate the sharing of intelligence about cyber threats and vulnerabilities with electric power companies, and ensure appropriate privacy protections for customer data. http://bipartisanpolicy.org/projects/electric-grid-cybersecurity-initiative Top

2. Cybersecurity and the North American Electric Grid - New Policy Approaches to Address an Evolving Threat - 2014-02-01 - Bipartisan Policy Center - This report summary highlights key findings and recommendations from the co-chairs of the Bipartisan Policy Centers (BPC) Electric Grid Cybersecurity Initiative. It covers four topic areas: standards and best practices, information sharing, response to a cyber attack, and paying for cybersecurity. Recommendations in these areas target Congress, federal government agencies, state public utilities commissions (PUCs), and industry. The Initiative was launched as a collaboration of BPCs Energy and Homeland Security Projects in May 2013. Its goal was to develop policiesaimed at government agencies as well as private companiesfor protecting the North American electric grid from cyber-attacks. http://www.EnergyCollection.us/Energy-Security/Cybersecurity-North-American.pdf Top

23 | P a g e

3. Top

Board of Directors References

1. See the Table of contents for all links to materials related to Board level knowledge 2. Cyber-risk, Standards, and Best Practices - The electric power industry needs a

transparent, funded, independent, dedicated, focused Best Practices effort. If we want to achieve appropriate mitigation levels to protect industry infrastructure against cyber-attacks we should do no less. A paper by Dan Hill (ex-CIO of Exelon) and Board member of the New York ISO https://www.linkedin.com/in/danielchill and Paul Feldman Board member at the Midcontinent ISO https://www.linkedin.com/in/paulfeldman see http://www.EnergyCollection.us/458.pdf. Energy Company Boards, Cybersecurity and Governance a paper by Dan Hill (ex-CIO of Exelon) and Board member of the New York ISO https://www.linkedin.com/in/danielchill and Paul Feldman Board member at the Midcontinent ISO https://www.linkedin.com/in/paulfeldman see http://www.EnergyCollection.us/456.pdf Top

3. Boardroom Cyber Watch Survey - 2014 Report - The 2014 Boardroom Cyber Watch Survey is the second annual survey we have undertaken specifically targeting chief executives, board directors and IT professionals. It demonstrates the issues organizations are facing in the constantly changing cyber threat landscape and how the boardrooms and IT functions perception of cyber risks is shifting. http://www.EnergyCollection.us/Energy-Security/Boardroom-Cyber-Watch-2014.pdf Top

Brookings Center - is a nonprofit public policy organization based in Washington, DC. Our mission is to conduct high-quality, independent research and, based on that research, to provide innovative, practical recommendations that advance three broad goals: Strengthen American democracy; Foster the economic and social welfare, security and opportunity of all Americans; and Secure a more open, safe, prosperous and cooperative international system. http://www.brookings.edu

Bound to Fail: Why Cyber Security Risk Cannot Simply Be "Managed" Away - Rather than a much-needed initiative to break the legislative deadlock on the subject in Congress, President Obamas new executive order for improving critical infrastructure cyber security is a recipe for continued failure. In essence, the executive order puts the emphasis on establishing a framework for risk management and relies on voluntary participation of the private sector that owns and operates the majority of U.S. critical infrastructure. Both approaches have been attempted for more than a decade without measurable success. A fundamental reason for this failure is the reliance on the concept of risk management, which frames the whole problem in business logic. Business logic ultimately gives the private sector every reason to argue the always hypothetical risk away, rather than solving the factual problem of insanely vulnerable cyber systems that control the nations most critical installations. The authors suggest a policy-based approach that instead sets clear guidelines for asset owners, starting with regulations for new critical infrastructure facilities, and thereby avoids perpetuating the problem in systems and architectures that will be around for decades to come. In contrast to the IT sector, the industrial control systems (ICS) that keep the nations most critical systems running are much simpler and much less dynamic than contemporary IT systems, which makes eliminating cyber vulnerabilities, most of which are designed into products and system architectures, actually possible. Finally, they argue that a distinction between

24 | P a g e

critical and non-critical systems is a bad idea that contradicts pervasiveness and sustainability of any effort to arrive at robust and well-protected systems. http://www.EnergyCollection.us/Energy-Security/Bound-To-Fail.pdf Top

Brookings Center for 21st Century Security and Intelligence - http://www.brookings.edu/about/centers/security-and-intelligence Top

Top

California

Cybersecurity and the Evolving Role of State Regulation: How it Impacts the California Public Utilities Commission - 2012-09-19 - The purpose of this paper is to examine how the CPUC and other State regulators can further address cybersecurity as it relates to grid resiliency, reliability and safety. In particular, this paper recommends that the CPUC opens an Order Instituting Rulemaking (OIR) to further investigate appropriate cybersecurity policies. http://www.EnergyCollection.us/Energy-Security/Cybersecurity-Evolving-Role.pdf Top

Top

Carnegie Mellon University

Cylab at Carnegie Mellon - is a bold and visionary effort, which establishes public-private partnerships to develop new technologies for measurable, secure, available, trustworthy and sustainable computing and communications systems. CyLab is a world leader in both technological research and the education of professionals in information assurance, security technology, business and policy, as well as security awareness among cyber-citizens of all ages. Building on more than two decades of Carnegie Mellon leadership in Information Technology, CyLab is a university-wide initiative that involves over fifty faculty and one hundred graduate students from more than six different departments and schools. As a vital resource in the effort to address cyber vulnerabilities that threaten national and economic security, CyLab is closely affiliated with CERT Coordination Center, a leading, internationally recognized center of internet security expertise. https://www.cylab.cmu.edu/ Top

Governance of Enterprise Security: Cylab 2012 Report - How Boards & Senior Executives are Managing Cyber Risk - 2012-05-16 - It has long been recognized that directors and officers have a fiduciary duty to protect the assets of their organizations. Today, this duty extends to digital assets, and has been expanded by laws and regulations that impose specific privacy and cyber security obligations on companies. This is the third biennial survey that Carnegie Mellon CyLab has conducted on how boards of directors and senior management are governing the security of their organizations information, applications, and networks (digital assets). First conducted in 2008 and carried forward in 2010 and 2012, the surveys are intended to measure the extent to which cyber governance is improving. The 2012 survey is the first global governance survey, comparing responses from industry sectors and geographical regions. http://www.EnergyCollection.us/Energy-Security/Governance-Enterprise-Security.pdf Original link at: http://www.rsa.com/innovation/docs/CMU-GOVERNANCE-RPT-2012-FINAL.pdf last accessed 2014-05-23 Top

Top

Center for the Study of the Presidency & Congress CSPC

Website - http://www.thepresidency.org/

25 | P a g e

Securing The U.S. Electrical Grid 2014-07-01 180 pages - This project has sought to address these challenges and begin a new conversation about the security of a changing grid. Through off-the-record roundtable discussions with experts from government, the private sector, and the policy community, this project has examined the threats of cyberattack, physical attack, electromagnetic pulse, and severe weather. We have explored how the executive branch organizes itself to address the security of critical infrastructurefocusing on the grid. We have analyzed the path of legislation related to grid security and the political obstacles it faces. We have discussed how the private sector can better support and incentivize best practices and innovations for security and reliability. We have looked at what the future of the grid may hold in terms of both new technology and a shift to renewable energy. Top

Certificate Management for Embedded Industrial Systems - 2009-11-11 - presentation by ABB - http://www.EnergyCollection.us/Energy-Security/Certificate-Management-Embedded.pdf Top

Chertoff Group

Addressing the Dynamic Threats to the Electric Power Grid Through Resilience 2014-11-01 by the Chertoff Group - The U.S. electric power grid is an interconnected system made up of power generation, transmission, and distribution infrastructure. The grid comprises nearly 6,000 power stations and other small generation facilities; 45,000 substations connected by approximately 200,000 miles of transmission lines; and local distribution systems that move power to customers through overhead and underground cables.1 Often called the largest machine in the world, the U.S. electric power grid is considered uniquely critical 2 because it enables and supports other critical infrastructure sectors, including the oil and natural gas, water, transportation, telecommunications, and financial sectors. The use of electricity is ubiquitous across these critical infrastructure sectors, and our societys dependence on electricity continues to increase. The electric power industry understands the critical service it provides and the impact that could result should the electric grid or the ability to deliver electricity be disrupted or damaged. The industry also recognizes that there is no single solution that can completely eliminate each and every risk to the grid. As a result, the industry works closely with government and other industry partners to apply an effective risk management approach focused on ensuring a reliable and resilient electric grid that can quickly recover and restore critical services to customers when power disruptions occur. This partnership informs necessary investments to better plan for and prevent highly consequential incidents and to strengthen capabilities to respond and recover quickly with minimal disruption or damage. This report reviews the electric power industrys efforts to protect the grid and to protect against possible harm to our nations power supply. It also recommends further initiatives that can help to strengthen and enhance resiliency. http://www.EnergyCollection.us/Companies/Chertoff/Addressing-Dynamic-Threats.pdf Top

Chertoff Group (above) Top

CIP Version 5 Supports Unidirectional Security Gateways - by Paul Feldman and Lior Frenkel - 2013-05-01 - published by DHS ICS-CERT - The NERC CIP Version 5 draft standard was recently submitted to FERC for approval. The submitted draft recognizes that Unidirectional Security Gateways provide security which is stronger than firewalls, and the draft includes measures to encourage the deployment of this strong security technology. The standard also changes how firewalls must be managed and mandates network intrusion

26 | P a g e

detection systems as a second level of defense when control centers deploy firewalls. http://www.EnergyCollection.us/Energy-Security/CIP-Version-5-Supports.pdf and http://ics-cert.us-cert.gov/May-2013-Whitepaper-and-Presentation-Submissions Top

CIP Version 5: What Does it Mean for Utilities? - http://www.EnergyCollection.us/Energy-Security/CIP-Version-5.pdf Top

Cisco 2014 Annual Security Report - In this report, Cisco offers data on and insights into top security concerns, such as shifts in malware, trends in vulnerabilities, and the resurgence of distributed denial-ofservice (DDoS) attacks. The report also looks at campaigns that target specific organizations, groups, and industries, and the growing sophistication of those who attempt to steal sensitive information. The report concludes with recommendations for examining security models holistically and gaining visibility across the entire attack continuumbefore, during, and after an attack. http://www.EnergyCollection.us/Energy-Security/Cisco-2014-Annual.pdf Top

Classification Method and Key Measures Cybersecurity for Industrial Control Systems - This document is based on the findings of the working group on Industrial Control System cybersecurity, directed by the French Network and Information Security Agency, the ANSSI. Composed of actors in the field of automated industrial process control systems and specialists in IT Security, the group has undertaken to draft a set of measures to improve the cybersecurity of ICS. These documents will be used to define the methods for applying the measures set out within the framework of French law No. 2013-1168 of 18 December 2013, known as the Military programming law (LPM). The objective is to subject all new critical ICSs to an approval process, thus ensuring that their cybersecurity level is acceptable given the current threat status and its potential developments. The document is intended for all actors (e.g. responsible entities, project managers, buyers, manufacturers, integrators, prime contractors) concerned with the design, implementation, operation and maintenance of ICSs. http://www.EnergyCollection.us/Countries/France/Classification-Method-Key.pdf Top

On page 10 the document defines 3 Classes of assets of increasing importance: Class 1: ICSs for which the risk or impact of an attack is low. The measures recommended for this class must be able to be applied in complete autonomy. Class 2: ICSs for which the risk or impact of an attack is significant. There is no state control over this class of ICS, but in the event of inspection or incident, the responsible entity must be able to provide evidence that adequate measures have been implemented. Class 3: ICSs for which the risk or impact of an attack is critical. In this class, the obligations are heightened and the conformity of ICSs is verified by the state authority or an accredited body.

Starting on page 15 requirements for use of unidirectional gateways are spelled out for Class 2 and Class 3 assets:

Class 2: The following are recommendations regarding different types of interconnection. ICSs: ICSs: Partitions using firewalls should be established between class 2 ICSs. Certified devices should be used for the interconnection. The interconnection of a class 2 ICS and a class 1 ICS should be unidirectional towards the class 1 system. Certified devices should be used for the interconnection. Management

27 | P a g e

Information Systems: Interconnection should be unidirectional from the ICS towards the corporate network. Otherwise, all data streams towards the class 2 ICS should be clearly defined and limited. Associated risks should be identified and evaluated. The interconnection shall be implemented using cybersecurity devices such as a firewall, which should be certified. Public network: ICSs should not be exposed on the Internet unless it is imperatively justified by an operational requirement. Where appropriate, they should not be exposed without protection and the risks associated with such a solution should be clearly identified. The interconnection should be unidirectional towards the public network. Certified devices should be used for the interconnection.

Class 3: The following are recommendations regarding different types of interconnection. ICSs: Partitions using firewalls shall be established between class 3 ICSs. It is strongly recommended to implement the interconnection using certified devices. The interconnection of a class 3 ICS with an ICS of a lower class shall be unidirectional towards the latter. The unidirectionality shall be guaranteed physically (e.g. with a data diode). Certified devices should be used for the interconnection. Management Information Systems: The interconnection shall be unidirectional towards the corporate network. The unidirectionality shall be guaranteed physically (e.g. with a data diode). Certified devices should be used for the interconnection. Public network: A class 3 ICS shall not be connected to a public network.

Cloud Security Alliance CSA - is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. https://cloudsecurityalliance.org Top

Congress

Congressional Testimony 2014-04-10 - Committee on Energy and Natural Resources, United States Senate, hearing on keeping the lights on are we doing enough to ensure the reliability and security of the U.S. electric grid http://www.EnergyCollection.us/Energy-Security/Congressional-Testimony-2014-04-10.pdf Top

Congressional Testimony 2012-07-17 Committee on Energy and Natural Resources, United States Senate, Second session to examine the status of action taken to ensure that the electric grid is protected from cyber attacks http://www.EnergyCollection.us/Energy-Security/Congressional-Testimony-2012-07-17.pdf Top

Electric Grid Vulnerability Industry responses reveal security gaps 2013-05-21, a report written by the staff of Congressmen Markey and Waxman - To inform congressional consideration of this issue, Representatives Edward J. Markey and Henry A. Waxman requested information in January 2013 from more than 150 investor owned utilities (IOUs), municipally-owned utilities, rural electric cooperatives, and federal entities that own major pieces of the bulk power system. As of early May, more than 60% of the entities had responded (54 investor-owned utilities, 47 municipally-owned utilities and rural electric cooperatives, and 12 federal entities). http://www.EnergyCollection.us/Companies/Congress/electric-Grid-Vulnerability.pdf

Top

28 | P a g e

Congressional Research Service

Website http://www.crs.gov Cybersecurity: Authoritative Reports and Resources, by Topic

http://www.EnergyCollection.us/Companies/Congressional-Research-Service/Cybersecurity-Authoritative-Reports.pdf Top

The Smart Grid and Cybersecurity = Regulatory Policy and Issues 2011-05-15 http://www.EnergyCollection.us/Companies/Congressional-Research-Service/Smart-Grid-Cybersecurity.pdf Top The Stuxnet Computer Worm: Harbinger of an Emerging Warfare

Capability http://www.EnergyCollection.us/Companies/Congressional-Research-Service/Stuxnet_Computer_Worm.pdf Top

Terrorist Use of the Internet: Information Operations in Cyberspace 2011-03-08 19 pages http://www.Companies/Congressional-Research-Service/Terrorist_Use_Internet.pdf Top

Connecticut

Cybersecurity and Connecticut's Public Utilities - 2-14-04-14 - by the state PUC - Cyber threats pose serious potential damage to Connecticuts public utilities. Connecticuts public officials and utilities need to confront these threats and detect, deter and be prepared to manage the effects of a cyber disruption. Governor Dannel P. Malloy and Connecticuts General Assembly initiated this report through adoption of the state's Comprehensive Energy Strategy in 2013. They directed the Public Utilities Regulatory Authority (PURA) to review the state's electricity, natural gas and major water companies and to assess the adequacy of their capabilities to deter interruption of service and to present to the Governor and General Assembly recommended actions to strengthen deterrence. This report is offered as a starting point toward defining regulatory guidance specifically for defensive cyber strategies.

Top

Council on Cybersecurity -an independent, expert, not-for-profit organization with a global scope committed to the security of the open Internet. Technology practice area is built upon the Critical Security Controls (the Controls), a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks. The Controls have been developed and maintained by an international, grass-roots consortium which includes a broad range of companies, government agencies, institutions, and individuals from every part of the ecosystem (threat responders and analysts, security technologists, vulnerability-finders, tool builders, solution providers, front-line defenders, users, consultants, policy-makers, executives, academia, auditors, etc.) who have banded together to create, adopt, and support the Controls. http://www.counciloncybersecurity.org/critical-controls/ Top

Council on Foreign Relations on Cybersecurity - is an independent, nonpartisan membership organization, think tank, and publisher. CFR members, including Brian Williams, Fareed Zakaria, Angelina Jolie, Chuck Hagel, and Erin Burnett, explain why the Council on Foreign Relations is an indispensable resource in a complex world. http://www.cfr.org/issue/cybersecurity/ri18 Top

CRISP - Cybersecurity Risk Information Sharing Program - CRISP is a pilot program that provides a near-real-time capability for critical infrastructure owners and operators to

29 | P a g e

share and analyze cyber threat data and receive Machine-to-machine mitigation measures. Developed by a number of power sector companies, in conjunction with the ES-ISAC, DOE, Pacific Northwest National Laboratory, and Argonne National Laboratory. CRISP is an information sharing software system that NERC may incorporate into ES-ISAC. http://tinyurl.com/jvn2fcc Top

Critical Infrastructure in Wikipedia - Wikipedia - http://en.wikipedia.org/wiki/Critical_infrastructure Top

Critical Infrastructure Protection in Wikipedia - Wikipedia - http://en.wikipedia.org/wiki/Critical_infrastructure_protection Top

Critical Infrastructure Protection - Cybersecurity Guidance Is Available, but More Can Be Done to Promote Its Use - GAO Report - 2012-12-01 - A wide variety of cybersecurity guidance is available from national and international organizations for entities within the seven critic a l infrastructure sectors GAO reviewed banking and finance; communications; energy; health care and public health; information technology; nuclear reactors, material, and waste; and water . Much of this guidance is tailored to business needs of entities or provides methods to address unique risks or operations . In addition, entities operating in regulated environments are subject to mandatory standards to meet their regulatory requirements; entities operating outside of a regulatory environment may voluntarily adopt standards and guidance. While private sector coordinating council representatives confirmed lists of cybersecurity guidance that they stated w ere used within their respective sectors, the representatives emphasized that the lists were not comprehensive and that additional standards and guidance are likely used. http://www.EnergyCollection.us/Energy-Security/Cybersecurity-Guidance-Available.pdf Top

Cyber-Physical Systems Security for Smart Grid - Future Grid Initiative White Paper - http://www.EnergyCollection.us/Energy-Security/Cyber-Physical-Systems.pdf Top

Cyber Risk and the Board of Directors - Closing the Gap - http://www.EnergyCollection.us/Energy-Security/Cyber-Risk-Board.pdf Top

Cyber Security for Smart Grid, Cryptography, and Privacy - 2011-07-01 - In this paper, we will study smart grid security in more depth. The goal of this paper is to cover the security challenges related to cyber security, and we will also study how cryptography is used in order to eliminate cyber-attacks. Finally, we will also discuss in brief privacy which is another smart grid security concern. The rest of the paper is organized as follows. We start by reviewing the challenges and goals of smart grid in Section 2. This is followed by the smart grid architecture in Section 3. We focus on cyber security in Section 4. Section 5 explains cryptography used for smart grid security in depth. Privacy in context with smart grid security is explained in Section 6. And finally, we conclude in Section 7. http://www.EnergyCollection.us/Energy-Security/Cyber-Security-Smart-Grid.pdf Top

Cyber Security Standards in Wikipedia - http://en.wikipedia.org/wiki/Cyber_security_standards Top

Cyber Security Standards (NERC) in Wikipedia - http://en.wikipedia.org/wiki/Cyber_security_standards#NERC Top

30 | P a g e

Cyber Solutions Handbook - Making Sense of Standards and Frameworks - 2014-03-17 by Booz Allen Hamilton - http://www.EnergyCollection.us/Energy-Security/Cyber-Solutions-Handbook.pdf Top

Cyber threats Proving Their Power over Power Plant Operational Technology 2015-02-01 by Michael Assante http://www.EnergyCollection.us/Energy-Security/Cyber-Threats-Proving.pdf Top

Cyber War - Hardening SCADA - The year 2011 may have forever changed the way we think about the security of networks and systems. Following a year many are calling the year of the hack, security professionals have fundamentally changed their outlook when it comes to the threat of a network breach. Whereas previously, many considered a breach unlikely and more of an if scenario, many have shifted to a mindset of when. Week after week one company after another was breached with high profile impact. Unfortunately public utilities were no different. In November 2011, the deputy assistant director of the FBI's Cyber Division, Michael Welch, told a London cyber security conference that hackers had recently accessed the critical infrastructure in three U.S. cities by compromising their Internet-based control systems. http://www.EnergyCollection.us/Energy-Security/Cyber-War-Hardening.pdf Top

Cyberattack Insurance a Challenge for Business http://www.EnergyCollection.us/Energy-Security/Cyberattack-Insurance-Challenge.pdf Top

Cybersecurity Best Practices for Small and Medium Pennsylvania Utilities http://www.EnergyCollection.us/States/Pennsylvania/Cybersecurity-Best-Practices.pdf Top

Cybersecurity and the Board: Avoiding Personal Liability - Part I of III: Policies and Procedures - http://www.EnergyCollection.us/Energy-Security/Cybersecurity-Board-Avoiding-I.pdf Top

Cybersecurity and the Board: Avoiding Personal Liability - Part II of III: Policies and Procedures - http://www.EnergyCollection.us/Energy-Security/Cybersecurity-Board-Avoiding-II.pdf Top

Cybersecurity and the Board: Avoiding Personal Liability - Part III of III: Policies and Procedures - http://www.EnergyCollection.us/Energy-Security/Cybersecurity-Board-Avoiding-III.pdf Top

Cybersecurity and Remote Access SPARK Article - The conversation regarding IT security is shifting. Until recently, most of the major hacking incidents were conducted by financially-motivated hackers out to steal proprietary data. They often targeted large retail companies that store thousands of credit card records, such as the highly-publicized T.J. Maxx data breach in 2007. But today hacktivism and cyber terrorism are growing as real threats to both public and private organizations. Because hacktivists are motivated by creating disruption versus financial gain, public utilities have been pushed further into the spotlight as potential targets. http://www.EnergyCollection.us/Energy-Security/Cybersecurity-Remote-Access.pdf Top

31 | P a g e

Cybersecurity Risks and the Board of Directors Harvard Article http://www.EnergyCollection.us/Energy-Security/Cybersecurity-Risks-Board.pdf Top

Cybersecurity for Utilities: The Rest of the Story - by Jim Rowan of SERC - presentation about growing cyber and physical risk to utilities - http://www.EnergyCollection.us/Companies/SERC/Cybersecurity-Utilities-Rest.pdf Top

Dark Reading Cyber News - is a comprehensive news and information portal that focuses on IT security, helping information security professionals manage the balance between data protection and user access. Website: http://www.darkreading.com Top

The Debate Over Cyber Threats - http://www.EnergyCollection.us/Energy-Security/Debate-Over-Cyber.pdf Top

Dell

Dell Cybersecurity webpage http://www.dell.com/learn/us/en/84/campaigns/slg-pov-cybersecurity

How Traditional Firewalls Fail Today's Networks - and Why Next-Generation Firewalls Will Prevail - Dell - http://www.EnergyCollection.us/Energy-Security/How-Traditional-Firewalls.pdf Top

Top

Deloitte see the Center for corporate governance http://www.corpgov.deloitte.com Top

Cybersecurity and the Audit Committee - Deloitte - A Deloitte Audit Committee Brief - http://www.EnergyCollection.us/Energy-Security/Cybersecurity-Audit-Committee.pdf Original at http://deloitte.wsj.com/riskandcompliance/2013/08/30/cybersecurity-and-the-boardroom/ accessed 2014-05-11 Top

Cybersecurity...Continued in the Boardroom - The August 2013 Deloitte Audit Committee Brief highlighted organizational roles and responsibilities for cybersecurity, beginning with the board of directors and audit committee. This article continues the discussion with further information on the boards role related to cybersecurity. http://www.EnergyCollection.us/Energy-Security/cybersecurity-Continued-Boardroom.pdf Top

Deloitte - Audit Committee Brief - 2014-05-01 - includes "Questions the audit committee may consider asking management to assess the companys readiness to prevent and respond to cyber attacks" http://www.EnergyCollection.us/Companies/Deloitte/Audit-Committee-Brief-2014-05-01.pdf Top

SECs Focus on Cybersecurity Key insights for investment advisors http://EnergyCollection.us/Companies/Deloitte/SECs-Focus-Cybersecurity.pdf

Top

Department of Energy - DOE

2012 DOE Smart Grid Cybersecurity Information Exchange - 2012-12-05-06 - Recipients of the American Recovery and Reinvestment Act of 2009 (ARRA) Smart Grid

32 | P a g e

Investment Grants (SGIG) and Smart Grid Demonstration Program (SGDP) are in the midst of installing nearly $8 billion in advanced smart grid technologies and systems that could dramatically change the way electricity is produced, managed, and used in the United States. One of the key challenges for utilities is to implement smart grid devices and systems while ensuring and enhancing the cybersecurity of these digital systems. Toward this end, the 2012 DOE Smart Grid Cybersecurity Information Exchange (2012 Information Exchange) held in Washington, DC on December 5 and 6, 2012, enabled SGIG and SGDP recipients to: (1) share information and lessons learned in developing and implementing their Cybersecurity Plans (CSP); (2) learn about available tools, techniques, and resources for strengthening the security of cyber systems; and (3) gain a common understanding of how to sustain cybersecurity processes once the ARRA projects are completed. Through interactive peer-to-peer exchanges, panel discussions, expert presentations, and poster sessions, attendees of the 2012 Information Exchange discussed critical issues and insights arising from the implementation of their cybersecurity programs and looked to the future of cybersecurity for the electric grid. These discussions produced important lessons learned and best practices from implementing cybersecurity in smart grid systems. http://www.EnergyCollection.us/Energy-Security/2012-DOE-Smart-Grid.pdf Top

AMI Penetration Test Plan - This security test plan template was created by the National Electric Sector Cybersecurity Organization Resource (NESCOR) to provide guidance to electric utilities on how to perform penetration tests on AMI systems. Penetration testing is one of the many different types of assessments utilities can perform to assess their overall security posture. While NESCOR recommends that utilities engage in all other forms of security assessment, NESCOR created this document to help utilities plan and organize their AMI penetration testing efforts. For a list of other types of Smart Grid security assessments, please see NESCORs whitepaper titled Guide to Smart Grid Assessments. For a list of other NESCOR Penetration Test Plan documents that cover other systems such as Wide-Area Monitoring, Protection, and Control (WAMPAC), Home Area Network (HAN), or Distribution Management, please see NESCORs website or contact one of the persons listed above. http://www.EnergyCollection.us/Energy-Security/AMI-Penetration-Test.pdf Top

Analysis of Selected Electric Sector High Risk Failure Scenarios - NESCOR - 2013-09-01 - These provide detailed analyses for a subset of the failure scenarios identified in the short failure scenario document listed above. All analyses presented include an attack tree, whi